AWS resource-explorer low security documentation change
Summary
Added note about immediate access to Resource Explorer without activation, and standardized capitalization of 'Unified Search' in multiple sections. Expanded explanation of 'access denied' errors related to ListIndexes permissions.
Security assessment
The change explains how missing IAM permissions for resource-explorer-2:ListIndexes cause 'access denied' CloudTrail entries when using Unified Search. This clarifies a security-related permission requirement for proper functionality, though it documents existing behavior rather than patching a vulnerability.
Diff
diff --git a/resource-explorer/latest/userguide/troubleshooting.md b/resource-explorer/latest/userguide/troubleshooting.md index e15b45904..22feec8bd 100644 --- a//resource-explorer/latest/userguide/troubleshooting.md +++ b//resource-explorer/latest/userguide/troubleshooting.md @@ -6,0 +7,2 @@ General issues +AWS Resource Explorer now provides immediate access to resource search and discovery capabilities in a Region. With this launch, you no longer need to activate Resource Explorer to discover your resources. [Learn more](https://docs.aws.amazon.com/resource-explorer/latest/userguide/manage-immediate-resource-discovery-experience.html) + @@ -28 +30 @@ If you encounter issues when working with Resource Explorer, consult the topics - * Why does unified search in the console cause "access denied" errors in my CloudTrail logs? + * Why does Unified Search in the console cause "access denied" errors in my CloudTrail logs? @@ -74 +76 @@ Alternatively, you might consider attaching the [AWS managed permission `AWSReso -### Why does unified search in the console cause "access denied" errors in my CloudTrail logs? +### Why does Unified Search in the console cause "access denied" errors in my CloudTrail logs? @@ -76 +78 @@ Alternatively, you might consider attaching the [AWS managed permission `AWSReso -[Unified search in the AWS Management Console](./using-unified-search.html) lets principals search from any page in the AWS Management Console. The results can include resources from the principal's account if Resource Explorer is turned on and configured to support unified search. Whenever you start typing in the unified search bar, unified search attempts to call `resource-explorer-2:ListIndexes` operation to check whether it can include resources from the user's account in the results. +[Unified Search in the AWS Management Console](./using-unified-search.html) lets principals search from any page in the AWS Management Console. The results can include resources from the principal's account if Resource Explorer is turned on and configured to support Unified Search. Whenever you start typing in the Unified Search bar, Unified Search attempts to call `resource-explorer-2:ListIndexes` operation to check whether it can include resources from the user's account in the results. @@ -78 +80 @@ Alternatively, you might consider attaching the [AWS managed permission `AWSReso -Unified search uses the currently signed-in user's permissions to perform this check. If that user doesn't have permission to call `resource-explorer-2:ListIndexes` granted in an attached AWS Identity and Access Management (IAM) permission policy, then the check fails. That failure is added as an `Access denied` entry in your CloudTrail logs. +Unified Search uses the currently signed-in user's permissions to perform this check. If that user doesn't have permission to call `resource-explorer-2:ListIndexes` granted in an attached AWS Identity and Access Management (IAM) permission policy, then the check fails. That failure is added as an `Access denied` entry in your CloudTrail logs.